openstack
/
keystone
Code Issues Proposed changes

Merge "Make federated domain configurable"

This commit is contained in:
Jenkins 2015-02-17 19:32:53 +00:00 committed by Gerrit Code Review
parent 19e3a7eb18 08b9937f61
commit e37c8ae632
4 changed files with 89 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
keystone/common/config.py
View File

@ -511,6 +511,15 @@ FILE_OPTIONS = {
'Identity Provider from the environment (e.g. if '
'using the mod_shib plugin this value is '
'`Shib-Identity-Provider`).'),
cfg.StrOpt('federated_domain_name', default='Federated',
help='A domain name that is reserved to allow federated '
'ephemeral users to have a domain concept. Note that '
'an admin will not be able to create a domain with '
'this name or update an existing domain to this '
'name. You are not advised to change this value '
'unless you really have to. Changing this option '
'to empty string or None will not have any impact and '
'default name will be used.'),
],
'policy': [
cfg.StrOpt('driver',

31
keystone/resource/core.py
View File

@ -67,9 +67,6 @@ class Manager(manager.Manager):
assignment_driver = dependency.REGISTRY['assignment_api'].driver
resource_driver = assignment_driver.default_resource_driver()
self.federated_domain_reserved = (
federation.FEDERATED_DOMAIN_KEYWORD.lower())
super(Manager, self).__init__(resource_driver)
def _get_hierarchy_depth(self, parents_list):
@ -127,20 +124,26 @@ class Manager(manager.Manager):
raise AssertionError(_('Domain is disabled: %s') % domain_id)
def assert_domain_not_federated(self, domain_id, domain):
"""Assert the Domain's name and id are not "Federated".
"""Assert the Domain's name and id do not match the resevered keyword.
Note that the reserved keyword 'Federated' is case insensitive
Note that the reserved keyword is defined in the configuration file,
by default, it is 'Federated', it is also case insensitive.
If config's option is empty the default hardcoded value 'Federated'
will be used.
:raise AssertionError if domain named match the value in the config.
:raise AssertionError if domain named "Federated".
"""
if domain.get('name') is not None:
if domain['name'].lower() == self.federated_domain_reserved:
raise AssertionError(_('Domain cannot be named Federated: %s')
% domain_id)
if domain_id.lower() == self.federated_domain_reserved:
raise AssertionError(_('Domain cannot have ID Federated: %s')
% domain_id)
# NOTE(marek-denis): We cannot create this attribute in the __init__ as
# config values are always initialized to default value.
federated_domain = (CONF.federation.federated_domain_name or
federation.FEDERATED_DOMAIN_KEYWORD).lower()
if (domain.get('name') and domain['name'].lower() == federated_domain):
raise AssertionError(_('Domain cannot be named %s')
% federated_domain)
if (domain_id.lower() == federated_domain):
raise AssertionError(_('Domain cannot have ID %s')
% federated_domain)
def assert_project_enabled(self, project_id, project=None):
"""Assert the project is enabled and its associated domain is enabled.

56
keystone/tests/unit/test_v3_assignment.py
View File

@ -501,6 +501,62 @@ class AssignmentTestCase(test_v3.RestfulTestCase):
exception.DomainNotFound, self.assignment_api.delete_domain,
domain['id'])
def test_forbid_operations_on_defined_federated_domain(self):
"""Make sure one cannot operate on a user-defined federated domain.
This includes operations like create, update, delete.
"""
non_default_name = 'beta_federated_domain'
self.config_fixture.config(group='federation',
federated_domain_name=non_default_name)
domain = self.new_domain_ref()
domain['name'] = non_default_name
self.assertRaises(AssertionError,
self.assignment_api.create_domain,
domain['id'], domain)
self.assertRaises(exception.DomainNotFound,
self.assignment_api.delete_domain,
domain['id'])
self.assertRaises(AssertionError,
self.assignment_api.update_domain,
domain['id'], domain)
def test_set_federated_domain_when_config_empty(self):
"""Make sure we are operable even if config value is not properly
set.
This includes operations like create, update, delete.
"""
federated_name = 'Federated'
self.config_fixture.config(group='federation',
federated_domain_name='')
domain = self.new_domain_ref()
domain['id'] = federated_name
self.assertRaises(AssertionError,
self.assignment_api.create_domain,
domain['id'], domain)
self.assertRaises(exception.DomainNotFound,
self.assignment_api.delete_domain,
domain['id'])
self.assertRaises(AssertionError,
self.assignment_api.update_domain,
domain['id'], domain)
# swap id with name
domain['id'], domain['name'] = domain['name'], domain['id']
self.assertRaises(AssertionError,
self.assignment_api.create_domain,
domain['id'], domain)
self.assertRaises(exception.DomainNotFound,
self.assignment_api.delete_domain,
domain['id'])
self.assertRaises(AssertionError,
self.assignment_api.update_domain,
domain['id'], domain)
# Project CRUD tests
def test_list_projects(self):

9
keystone/token/providers/common.py
View File

@ -463,6 +463,11 @@ class BaseProvider(provider.Provider):
return token_id, token_data
def _handle_mapped_tokens(self, auth_context, project_id, domain_id):
def get_federated_domain():
return (CONF.federation.federated_domain_name or
federation.FEDERATED_DOMAIN_KEYWORD)
federated_domain = get_federated_domain()
user_id = auth_context['user_id']
group_ids = auth_context['group_ids']
idp = auth_context[federation.IDENTITY_PROVIDER]
@ -476,8 +481,8 @@ class BaseProvider(provider.Provider):
'protocol': {'id': protocol}
},
'domain': {
'id': federation.FEDERATED_DOMAIN_KEYWORD,
'name': federation.FEDERATED_DOMAIN_KEYWORD
'id': federated_domain,
'name': federated_domain
}
}
}